You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to the function documentation:
// EvalSymlinks returns the path name after the evaluation of any symbolic
// links.
// If path is relative the result will be relative to the current directory,
// unless one of the components is an absolute symbolic link.
// EvalSymlinks calls [Clean] on the result.
Steps to reproduce the behavior
// Parse creates a configuration from a configuration file with name fileName.func (c*Config) parse(fileNamestring) error {
info, err:=os.Lstat(fileName)
ifos.IsNotExist(err) {
returnerr
}
mode:=info.Mode()
varfilePathstringifmode&os.ModeSymlink!=0 {
varerrerroriffilePath, err=filepath.EvalSymlinks(fileName); err!=nil {
returnerr
}
// Somehow gosec doesn't know that filepath.EvalSymlinks calls// filepath.Clean.filePath=filepath.Clean(filePath)
} else {
filePath=filepath.Clean(fileName)
}
file, err:=os.ReadFile(filePath)
iferr!=nil {
returnerr
}
// ...
}
gosec version
go install github.com/securego/gosec/v2/cmd/gosec@latest
or
> gosec -version
Version: dev
Git tag:
Build date:
Go version (output of 'go version')
go version go1.22.2 linux/amd64
Operating system / Environment
Ubuntu 22.04
Expected behavior
I was hoping not to have to include the following three lines in my code example:
The text was updated successfully, but these errors were encountered:
roelvandergoot
changed the title
Gosec False positive on G304 (CWE-22) after filepath.EvalSymlinks
False positive on G304 (CWE-22) after filepath.EvalSymlinksApr 19, 2024
Summary
According to the function documentation:
// EvalSymlinks returns the path name after the evaluation of any symbolic
// links.
// If path is relative the result will be relative to the current directory,
// unless one of the components is an absolute symbolic link.
// EvalSymlinks calls [Clean] on the result.
Steps to reproduce the behavior
gosec version
or
Go version (output of 'go version')
Operating system / Environment
Ubuntu 22.04
Expected behavior
I was hoping not to have to include the following three lines in my code example:
Actual behavior
Without those lines
gosec
complains:The text was updated successfully, but these errors were encountered: